CVE-2024-26780: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix task hung while purging oob_skb in GC. syzbot reported a task hung; at the same time, GC was looping infinitely in list_for_each_entry_safe() for OOB skb. [0] syzbot demonstrated that the list_for_each_entry_safe() was not actually safe in this case. A single skb could have references for multiple sockets. If we free such a skb in the list_for_each_entry_safe(), the current and next sockets could be unlinked in a single iteration. unix_notinflight() uses list_del_init() to unlink the socket, so the prefetched next socket forms a loop itself and list_for_each_entry_safe() never stops. Here, we must use while() and make sure we always fetch the first socket. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> unix_gc+0x563/0x13b0 net/unix/garbage.c:319 unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 unix_release+0x91/0xf0 net/unix/af_unix.c:1064 __sock_release+0xb0/0x270 net/socket.c:659 sock_close+0x1c/0x30 net/socket.c:1421 __fput+0x270/0xb80 fs/file_table.c:376 task_work_run+0x14f/0x250 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa8a/0x2ad0 kernel/exit.c:871 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 __do_sys_exit_group kernel/exit.c:1031 [inline] __se_sys_exit_group kernel/exit.c:1029 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f9d6cbdac09 Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70 </TASK>
AI Analysis
Technical Summary
CVE-2024-26780 is a vulnerability in the Linux kernel affecting the af_unix subsystem, specifically related to the garbage collection (GC) process for out-of-band socket buffers (oob_skb). The issue arises because the list_for_each_entry_safe() macro, used to iterate over sockets during GC, is not safe when a single socket buffer (skb) is referenced by multiple sockets. Freeing such an skb within this loop can cause both the current and next sockets to be unlinked simultaneously. The unlinking uses list_del_init(), which resets the list pointers, causing the prefetched next socket pointer to form a loop. This results in an infinite loop during GC, causing a task hang. The problem was identified and reported by syzbot, a kernel fuzzing tool, which demonstrated the infinite loop and task hang scenario. The root cause is that list_for_each_entry_safe() assumes safe iteration even when elements are removed, but in this case, the removal of multiple sockets referencing the same skb breaks this assumption. The fix involves replacing the iteration with a while loop that always fetches the first socket, ensuring safe traversal and preventing infinite loops. This vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. The vulnerability can cause kernel tasks to hang, potentially leading to denial of service conditions. The detailed kernel backtrace shows the hang occurring in the unix_gc() function during socket release operations. No known exploits are reported in the wild as of the publication date. The vulnerability does not have an assigned CVSS score but is recognized and published by the Linux project and CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service (DoS) on Linux systems using affected kernel versions. Since the issue causes kernel tasks to hang during garbage collection of UNIX domain sockets, critical services relying on inter-process communication via af_unix sockets could be disrupted. This can affect servers, cloud infrastructure, and containerized environments where Linux kernels are prevalent. The impact on confidentiality and integrity is minimal as the vulnerability does not directly allow code execution or privilege escalation. However, availability degradation can affect business continuity, especially for organizations running critical applications on Linux-based systems. Enterprises using Linux in data centers, cloud platforms, or embedded devices may experience system instability or require reboots to recover from hangs. The absence of known exploits reduces immediate risk, but the vulnerability's nature means attackers could potentially trigger DoS conditions remotely or locally if they can induce socket closures. European organizations with high reliance on Linux infrastructure, such as financial institutions, telecommunications, and cloud service providers, should consider the operational impact of potential service interruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26780 as soon as they become available for your distribution or kernel version. Monitor vendor advisories for backported fixes. 2. For organizations unable to immediately patch, implement monitoring to detect hung tasks or abnormal CPU usage related to unix_gc or socket release functions. 3. Limit exposure by restricting access to systems running vulnerable kernels, especially limiting untrusted local user access that could trigger socket closures. 4. Employ kernel live patching solutions where available to reduce downtime during patch deployment. 5. Review and harden inter-process communication mechanisms that rely on UNIX domain sockets to minimize unnecessary socket references and closures. 6. Test patches in staging environments to ensure stability and compatibility before production deployment. 7. Maintain updated incident response plans to quickly address potential DoS conditions caused by this vulnerability. 8. Engage with Linux distribution vendors to confirm patch availability and timelines for your specific kernel versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-26780: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix task hung while purging oob_skb in GC. syzbot reported a task hung; at the same time, GC was looping infinitely in list_for_each_entry_safe() for OOB skb. [0] syzbot demonstrated that the list_for_each_entry_safe() was not actually safe in this case. A single skb could have references for multiple sockets. If we free such a skb in the list_for_each_entry_safe(), the current and next sockets could be unlinked in a single iteration. unix_notinflight() uses list_del_init() to unlink the socket, so the prefetched next socket forms a loop itself and list_for_each_entry_safe() never stops. Here, we must use while() and make sure we always fetch the first socket. [0]: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207 Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74 RSP: 0018:ffffc900033efa58 EFLAGS: 00000283 RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189 RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70 RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800 R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> unix_gc+0x563/0x13b0 net/unix/garbage.c:319 unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683 unix_release+0x91/0xf0 net/unix/af_unix.c:1064 __sock_release+0xb0/0x270 net/socket.c:659 sock_close+0x1c/0x30 net/socket.c:1421 __fput+0x270/0xb80 fs/file_table.c:376 task_work_run+0x14f/0x250 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa8a/0x2ad0 kernel/exit.c:871 do_group_exit+0xd4/0x2a0 kernel/exit.c:1020 __do_sys_exit_group kernel/exit.c:1031 [inline] __se_sys_exit_group kernel/exit.c:1029 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f9d6cbdac09 Code: Unable to access opcode bytes at 0x7f9d6cbdabdf. RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006 R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0 R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2024-26780 is a vulnerability in the Linux kernel affecting the af_unix subsystem, specifically related to the garbage collection (GC) process for out-of-band socket buffers (oob_skb). The issue arises because the list_for_each_entry_safe() macro, used to iterate over sockets during GC, is not safe when a single socket buffer (skb) is referenced by multiple sockets. Freeing such an skb within this loop can cause both the current and next sockets to be unlinked simultaneously. The unlinking uses list_del_init(), which resets the list pointers, causing the prefetched next socket pointer to form a loop. This results in an infinite loop during GC, causing a task hang. The problem was identified and reported by syzbot, a kernel fuzzing tool, which demonstrated the infinite loop and task hang scenario. The root cause is that list_for_each_entry_safe() assumes safe iteration even when elements are removed, but in this case, the removal of multiple sockets referencing the same skb breaks this assumption. The fix involves replacing the iteration with a while loop that always fetches the first socket, ensuring safe traversal and preventing infinite loops. This vulnerability affects multiple Linux kernel versions as indicated by the affected commit hashes. The vulnerability can cause kernel tasks to hang, potentially leading to denial of service conditions. The detailed kernel backtrace shows the hang occurring in the unix_gc() function during socket release operations. No known exploits are reported in the wild as of the publication date. The vulnerability does not have an assigned CVSS score but is recognized and published by the Linux project and CISA.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service (DoS) on Linux systems using affected kernel versions. Since the issue causes kernel tasks to hang during garbage collection of UNIX domain sockets, critical services relying on inter-process communication via af_unix sockets could be disrupted. This can affect servers, cloud infrastructure, and containerized environments where Linux kernels are prevalent. The impact on confidentiality and integrity is minimal as the vulnerability does not directly allow code execution or privilege escalation. However, availability degradation can affect business continuity, especially for organizations running critical applications on Linux-based systems. Enterprises using Linux in data centers, cloud platforms, or embedded devices may experience system instability or require reboots to recover from hangs. The absence of known exploits reduces immediate risk, but the vulnerability's nature means attackers could potentially trigger DoS conditions remotely or locally if they can induce socket closures. European organizations with high reliance on Linux infrastructure, such as financial institutions, telecommunications, and cloud service providers, should consider the operational impact of potential service interruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26780 as soon as they become available for your distribution or kernel version. Monitor vendor advisories for backported fixes. 2. For organizations unable to immediately patch, implement monitoring to detect hung tasks or abnormal CPU usage related to unix_gc or socket release functions. 3. Limit exposure by restricting access to systems running vulnerable kernels, especially limiting untrusted local user access that could trigger socket closures. 4. Employ kernel live patching solutions where available to reduce downtime during patch deployment. 5. Review and harden inter-process communication mechanisms that rely on UNIX domain sockets to minimize unnecessary socket references and closures. 6. Test patches in staging environments to ensure stability and compatibility before production deployment. 7. Maintain updated incident response plans to quickly address potential DoS conditions caused by this vulnerability. 8. Engage with Linux distribution vendors to confirm patch availability and timelines for your specific kernel versions.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.177Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3b73
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 6:40:05 PM
Last updated: 8/8/2025, 9:09:29 PM
Views: 16
Related Threats
CVE-2025-8940: Buffer Overflow in Tenda AC20
HighCVE-2025-8939: Buffer Overflow in Tenda AC20
HighCVE-2025-50518: n/a
HighCVE-2025-8989: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.